Week 5 - Discussion for Week 5 PDF

Preview

Summary

Discussion for Week 5...

Description

File Signatures, Data Hiding, and Metadata Select one of the following questions below to answer. A minimum of 500 words is required, and they must be your own words. Including figures and quotes is value-added, but they will not count against your 500 word requirement.

1.

What is a file signature and why is it important in computer forensics. Give examples of File Signatures.

2.

What is metadata as it relates to files? Can you find a computer forensic case that was discussed in the media where metadata was used to link someone to ownership? 3. What are some ways that people can hide data on a drive? For example an Alternate Data Stream?

Hi all, A file signature is defined as the data which is used to identify or it helps to verify the contents of the given file. A file signature also called the magic number is a number which acts as a unique identifier usually stored in the beginning of a file. The magic/ unique identifying number gives special information such as the type of information in the actual file. In addition, a file signature contains information which is used to determine if the data contained in the file has been modified since the creation of the file, thus assisting in forensics. It is important in computer forensics as it checks if the data matches the actual data to find out the person responsible for a given cybercrime which helps to solve a case here. The file signature analysis usually is done using Forensic applications such as EnCase which enhances the user to observe a disk image as well as carry out various different methods. Extensions such as 3gp, ico, gif, jpeg, png etc. employ extensive publicized list of file signatures and match them with the extensions of files. There are thousands of file types, some of which have been standardized. When file types are standardized, a signature (or header) is recognized by the program the file belongs to. For example, if one were to see a .DOC extension, it is expected that a program like Microsoft Word would open this file. One tactic in trying to hide data is to change the 3-letter file extension on a file or to remove the extension altogether (What-Is-a-File-Signature, n.d). In case a mismatch is detected then the file extension has been tampered with and thus leads to a closer and further examination. This is done using a function referred to as checksum, which uses the numeric values of the data in a file to come up with values that can be replicated once a file is loaded or transferred. If you are using a Linux/Mac OS X/Unix system, you can use the file command to determine the file type based upon the file signature, per the system's magic file (Kessler, 2018). An example we can analyze a gif file. A GIF file format uses a file signature of 0x47 0x49 0x46 0x38 0x39 0x61 (GIF89a) in the first few bytes of the file. After this, the key fields are then Width (16 bits), Height (16 bits), Packed (8 bits), Color Index (8 bits) and Aspect (8 bits), followed by a color table of 256 24-bit colors (Napier, 2013). This means that GIF files have good resolution of the color of a pixel, but only have 256 different colors, which limits its scope. For example, it is not good for photographs, as these typically need thousands of colors. When we analyze a file, we get the header below and the starting part of the file shows the magic numbers (Highlighted).

[00000000] 47 49 46 38 39 61 64 00 GIF89ad.

[00000008] 55 00 E6 00 00 FF FF FF U....... [00000016] F7 F7 F6 F1 F4 F2 EE EE ........

[00000024] EF E7 E7 E7 E1 E4 E6 DF ........

The main difference between the file extension and file signature is that file extension uniquely defines a format of specific file while file signature is the information header that is available in each file (What-Is-a-File-Signature, n.d). Cite: “What-Is-a-File-Signature.” Center for Computer Forensics, www.computer-forensics.net/whatis-a-file-signature.html. Kessler, Gary. “File Signatures.” Steganography for the Prosecutor and Computer Forensics Examiner, 23 Feb. 2018, www.garykessler.net/library/file_sigs.html?utm_source=tool.lu. Napier, Bill. “File Forensics with Signatures.” Billatnapier, 9 Apr. 2013, billatnapier.wordpress.com/2013/04/09/file-forensics-with-signatures/....